Re: How to combine lookup file with splunk query, ...

san112491 · ‎10-05-2022

Static data with one common field app Name as splunk query.

gcusello · ‎10-06-2022

as @yuanliu said, you have to find the correlation key between main search and lookup: if the common fields have the same name you can use something like this:

<your_search>
| lookup your_lookup.csv common field

if instead the field name to correlate are different, you can use:

<your_search>
| lookup your_lookup.csv lookup_field AS main_search_field

For more infos I hint to read at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup

Ciao.

giuseppe

yuanliu · ‎10-05-2022

Not sure what the real question is. Assuming your static data is in the lookup file, you just define a lookup with that file, then use lookup, e.g.,

| lookup mylookup common_field

All other fields in mylookup will be populated according to match.

How to combine lookup file with splunk query, static data with live data

eval

stats

table

timechart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?